Hannaford CIO advice

I have seen some people point out that the Hannaford CIO is pointing fingers at Microsoft. That is true, and he does not mince words about it. However, I do not think that detracts from his more important messages. First, he calls for an in-depth strategy and second he calls for end-to-end encryption. Both points are excellent advice, and the latter is why I have been working with the OASIS EKMI TC for several years — an extension of a project to build end-to-end encryption at West Marine back in 2004.

He finds particular fault in one aspect of the current PCI standard: “All debit- and credit-card transactions should be encrypted from end to end. That should be the minimum. It’s astonishing that isn’t the standard of PCI,” which only requires encryption when transmitting over a public network such as IP.

Right, although it requires encryption of the network as opposed to the card numbers themselves. The latter would be a more useful system as it would simplify internal monitoring for malicious traffic.

Homa’s key point is that most retailers handle security backwards: Don’t pour everything into protecting the front door. Assume they’ll get through and have a plan to control them once they’re inside.

[…]

Homa has his own strong security strategy, which seems to be a minority view. It’s futile, he said, to continually pour resources and time into securing the front door and windows of a house that is being relentlessly attacked by well-financed thieves with plenty of time. Instead of spending so much effort trying to keep the bad guys out, assume they’ll get in.

I do not think that is a minority view. That is the standard defense-in-depth approach and a best practice since the beginning of information security, let alone physical security.

The article really does not do Bill Homa any favors as it makes him look like he has gone off the handle about Microsoft. The author also points out that PCI auditors could be a risk too. All around pretty weak analysis, so probably not even worth a read, but I at least recognized that Homa has painted a picture of PCI security that many of us were advocating many years ago.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.